(Nikkei BP Group)
(No.1 High-Tech News Site in Japanese)
| Japan Center Unhappy with Unauthorized Access Proposals
December 4, 1998 (TOKYO) -- The Japan Network Information Center held
an emergency meeting recently to debate inadequacies in two draft proposals
for legislation that would control unauthorized access to computers.
|The draft proposals were published separately in November by the National
Police Agency (NPA) and Ministry of Posts and Telecommunications (MPT).
The purpose of the JPNIC debate was to solicit opinions from members
about the two draft documents, with a view toward submitting a summary
of comments to relevant ministries and agencies. A further aim was to
provide JPNIC members with basic information about the proposed legislation
and its objectives. Lawyers with specific knowledge of laws and regulations
enacted in other countries also attended the meeting.
During the three-hour debate, members mostly voiced their dissatisfaction
at the excessive ambiguities in the draft documents. Among other things,
they thought that "unauthorized access" was inadequately defined, and
they commented on the lack of clarity about what needs to be recorded
in access logs.
For example, the NPA and MPT draft documents include the fraudulent use
of an ID or password under the definition of "unauthorized access."
But they do not make clear whether the action of acquiring such IDs
or passwords, by means such as exhaustively attacking a server (brute-force
attack), comes under the definition.
In regard to keeping access logs, JPNIC members expressed doubts as to
whether log files, which are text files that can easily be tampered
with, constitute adequate evidence. One person made the following comment:
"Of course, hackers will erase their traces from access logs when they
abuse a server as a relay site. So it's nonsense to require the administrator
of a vulnerable server to store logs."
Apart from expressing dissatisfaction with the lack of specific detail
in the documents, JPNIC members raised doubts about limiting the type
of information protected under the legislation to IDs and passwords
only. They also questioned the legal requirement to keep logs for three
months and to report discovered incidents to the Public Safety Commission.
One member said that "there must be lots of other things that ought
to be done to deter hackers besides obliging administrators to keep
A show of hands indicated that most JPNIC members could neither agree
nor disagree with the drafts in their present form in regard to the
duty to keep logs, the adequacy of the three-month storage period, the
"unauthorized access" definition and other matters.
There was consensus in one aspect only: the vast majority of members
opposed having to report discovered access attempts or break-ins to
the Public Safety Commission.
<Visit News Center for more Asian news.>